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1 Motivation 

The secure operation of SSL/TLS relies on a set of trusted Certificate Authori- 
ties (CAs) to authenticate public keys[l]. In practice, the set of trusted CAs are 
bundled into operating systems and web browsers. Therefore, the Public Key 
Infrastructure (PKI) is centralized as only CAs chosen by operating system and 
web browser vendors may issue valid certificates. This system is exclusive; it 
is expensive to convince operating system and web browser vendors to bundle 
a CA, therefore entities must usually pay CAs to sign their public keys. It’s 
also insecure; every CA has the ability to create unauthentic certificates for any 
entity. 

PGP is a data encryption and decryption standard that does not use CAs 
to verify the authenticity of public keys. Instead, it offers a feature that allows 
individuals to sign other individuals’ public keys to certify their authenticity. 
This creates a web-of-trust model [2] that can navigated to determine the au- 
thenticity of public keys belonging to individuals that have no pre-shared secret 
with each other. 

The web-of-trust model is a first step towards a decentralized PKI. However, 
PGP itself is not a PKI as it does not provide a way to retrieve public keys. 
Commonly, PKI for PGP is implemented as centralized keyservers that are used 
to query for public keys. 

Ideally, a PKI for PGP would be be fully decentralized and not rely on 
centralized servers. 

1.1 Aim 

The aim of this project is to create a fully decentralized PKI that allows for 
the storage and retrieval of public keys, including PGP public keys. The PKI 
should allow public keys to be authenticated by other public keys, allowing for 
a decentralized web-of-trust. 
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2 Software 



The system is to be implemented as a smart contract on the Ethereum blockchain[3], 
with a set of Python command-line tools to publish and retrieve public keys and 
signatures. 

The smart contract will have functions to publish public keys and signatures 
of public keys. Smart contracts are written using the Solidity scripting language. 

In Ethereum, a ”gas” cost is charged for code to be executed in a smart 
contract. As verifying cryptographic signatures requires a large number of steps, 
it will be too costly to implement generic cryptographic signature verification 
in a smart contract, including PGP signature verification. Furthermore, PGP 
keys are often multiple kilobytes in length, which can prove to be costly to store 
in the Ethereum blockchain. 

Currently, Solidity natively supports secp256kl ECDSA + SHA3 signature 
verification. [4] The PKI should allow for storing and signing ECDSA keys. 

This PKI system would allow for ECDSA keys to be connected to hashes, 
fingerprints and IDs of other types of keys, including but not limited to PGP. In 
order for a fingerprint to be connected, the ECDSA key must sign the hash and 
publish the signature to the blockchain. Likewise, the key represented by the 
hash must sign the ECDSA key and present the signature with the key when 
the full version of the key is downloaded. 

Using the hash of a key, a client can then download the full key using a 
decentralized file storage system that enabled files to be download from a hash 
lookup, in particular Distributed Hash Tables [5]. The client should then verify 
that the signature of the corresponding ECDSA by the downloaded key is valid. 
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